Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption

Group encryption $$\mathsf {GE}$$ is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung Asiacrypt'07, $$\mathsf {GE}$$ is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model assuming interaction in the proving phase under the Learning-With-Errors $$\mathsf {LWE}$$ and Short-Integer-Solution $$\mathsf {SIS}$$ assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about $$\mathsf {LWE}$$ relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of $$\mathbf {X} \in \mathbb {Z}_q^{m \times n}$$, $$\mathbf {s} \in \mathbb {Z}_q^n$$ and a small-norm $$\mathbf {e} \in \mathbb {Z}^m$$ which underlie a public vector $$\mathbf {b}=\mathbf {X} \cdot \mathbf {s} + \mathbf {e} \in \mathbb {Z}_q^m$$ while simultaneously proving that the matrix $$\mathbf {X} \in \mathbb {Z}_q^{m \times n}$$ has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting.

[1]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[2]  Oded Goldreich,et al.  Collision-Free Hashing from Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[3]  Douglas Wikström,et al.  Hierarchical Group Signatures , 2005, ICALP.

[4]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[5]  Aggelos Kiayias,et al.  Group Signatures with Efficient Concurrent Join , 2005, EUROCRYPT.

[6]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[7]  Damien Stehlé,et al.  Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications , 2013, Public Key Cryptography.

[8]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[9]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[10]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, Theory of Computing Systems.

[11]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2008, ASIACRYPT.

[12]  Miklós Ajtai,et al.  Generating Hard Instances of the Short Basis Problem , 1999, ICALP.

[13]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[14]  Aggelos Kiayias,et al.  Group Encryption , 2007, ASIACRYPT.

[15]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[16]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[17]  Marc Joye,et al.  Toward Practical Group Encryption , 2013, ACNS.

[18]  Xavier Boyen,et al.  Adapting Lyubashevsky's Signature Schemes to the Ring Signature Setting , 2013, AFRICACRYPT.

[19]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[20]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[21]  Jacques Stern,et al.  A new paradigm for public key identification , 1996, IEEE Trans. Inf. Theory.

[22]  Huaxiong Wang,et al.  Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions , 2016, ASIACRYPT.

[23]  Markus Rückert,et al.  Lattice-based Blind Signatures , 2010, Algorithms and Number Theory.

[24]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[25]  Tibor Jager,et al.  Confined Guessing: New Signatures From Standard Assumptions , 2014, Journal of Cryptology.

[26]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[27]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors , 2016, Journal of Cryptology.

[28]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[29]  Rui Xue,et al.  Zero Knowledge Proofs from Ring-LWE , 2013, CANS.

[30]  Huaxiong Wang,et al.  Lattice-based Group Signature Scheme with Verifier-local Revocation , 2014, IACR Cryptol. ePrint Arch..

[31]  Huaxiong Wang,et al.  Provably Secure Group Signature Schemes From Code-Based Assumptions , 2015, IEEE Transactions on Information Theory.

[32]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[33]  Zhenfeng Zhang,et al.  Simpler Efficient Group Signatures from Lattices , 2015, Public Key Cryptography.

[34]  Moti Yung,et al.  Group Encryption: Non-interactive Realization in the Standard Model , 2009, ASIACRYPT.

[35]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[36]  Vinod Vaikuntanathan,et al.  Noninteractive Statistical Zero-Knowledge Proofs for Lattice Problems , 2008, CRYPTO.

[37]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[38]  Huaxiong Wang,et al.  Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based , 2015, Public Key Cryptography.

[39]  Jan Camenisch,et al.  Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures , 2014, ASIACRYPT.

[40]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..

[41]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[42]  David Pointcheval,et al.  Mediated Traceable Anonymous Encryption , 2010, LATINCRYPT.

[43]  Vinod Vaikuntanathan,et al.  Predicate Encryption for Circuits from LWE , 2015, CRYPTO.

[44]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[45]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[46]  Stephan Krenn,et al.  Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings , 2015, ESORICS.

[47]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[48]  Damien Stehlé,et al.  Lattice-Based Group Signatures with Logarithmic Signature Size , 2013, ASIACRYPT.

[49]  Moti Yung,et al.  Traceable Group Encryption , 2014, Public Key Cryptography.

[50]  Stephan Krenn,et al.  Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise , 2012, ASIACRYPT.

[51]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[52]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[53]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[54]  Sherman S. M. Chow Real Traceable Signatures , 2009, Selected Areas in Cryptography.

[55]  Xavier Boyen,et al.  Lattice Mixing and Vanishing Trapdoors A Framework for Fully Secure Short Signatures and more , 2010 .

[56]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[57]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.